1 


(p 


AD-A283  920 


Fair  Petri  Nets  and  Structural  Induction  for 
Rings  of  Processes* 

Jianan  Li 

Department  of  Electrical  Engineering  and  Computer  Science 
University  of  Wisconsin  -  Milwaukee 
P.O.  Box  784,  Milwaukee,  WI  53201,  U.S.A. 
j ianan® convex . csd . uwm . edu 


Ichiro  Suzuki 

Department  of  Electrical  Engineering  and  Computer  Science 
University  of  Wisconsin  -  Milwaukee 
P.O.  Box  784,  Milwaukee,  WI  53201,  U.S.A. 
suzuki®cs .uwm. edu 

Masafumi  Yamashita 
Department  of  Electrical  Engineering 
Faculty  of  Engineering 
Hiroshima  University 

Kagamiyama,  Higashi-Hiroshima  724,  Japan 
makfflse . hiroshima-u .ac.jp 

To  appear  in  Theoretical  Computer  Science 
December  1994 


Abstract  We  present  a  structural  induction  theorem  for  rings  consisting  of  an  arbitrary 
number  of  identical  components.  The  components  of  a  ring  are  modeled  using  a  “fair 
Petri  net,”  in  which  the  firing  of  a  prespecified  set  of  transitions  is  assumed  to  occur  fairly, 
i.e.,  any  of  these  transitions  that  becomes  Arable  infinitely  often  must  fire  infinitely  often. 
Specifically,  we  introduce  the  concept  of  similarity  between  rings  of  different  sizes,  and  give 
a  condition  under  which  the  similarity  between  the  rings  of  sizes  two  and  three  guarantees 
the  similarity  among  the  rings  of  all  sizes.  So  if  the  given  condition  is  satisfied,  then  the 
correctness  of  a  ring  of  any  large  size  can  be  inferred  from  the  correctness  of  a  ring  having 
only  a  few  components.  The  usefulness  of  the  theorem  is  demonstrated  using  the  examples 
of  token-passing  mutual  exclusion  and  a  simple  producer-consumer  system. 
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1  Introduction 


Concurrent  processing  systems  can  exhibit  extremely  complicated  behavior  because  of  the 
complex  timing  of  actions  of  different  processes.  Obtaining  useful  frameworks  for  analyzing 
such  systems  has  been  one  of  the  major  research  problems  in  computer  science. 

In  recent  years,  a  number  of  papers  have  appeared  that  discuss  the  problem  of  analyzing 
concurrent  systems  consisting  of  a  large  number  of  finite  state  machines  [1]  [3]  [5]  [8]  [20] 

[25].  The  basic  question  there  is  to  decide,  given  a  system  S(n)  consisting  of  n  >  2  finite 
state  machines  and  a  property  P(n)  on  S(n),  whether  or  not  S(n)  satisfies  P(n)  for  all 
values  of  n.  Note  that  conventional  theorem  provers  based  on  state-space  search  cannot  be 
used  directly  to  answer  this  question,  since  they  can  be  applied  only  to  instances  having  a 
fixed  state-space.  The  impossibility  of  solving  this  problem  in  general  was  first  shown  by 
Apt  and  Kozen  [1],  and  then  Suzuki  [20]  sharpened  the  result  by  showing  that  the  problem 
remains  unsolvable  even  if  5(n)  is  a  unidirectional  ring  of  n  identical  finite  state  machines 
whose  configuration  is  independent  of  the  value  of  n.  The  results  reported  in  [3]  [5]  [8]  [25] 
are  some  of  the  efforts  to  find  a  sufficient  condition  for  guaranteeing  that  S(n)  satisfies  P(n) 
for  all  values  of  n. 

In  this  paper,  we  investigate  the  analysis  problem  stated  above  for  systems  that  are  rings 
of  identical  components,  using  fair  Petri  nets  for  representing  the  components.  Intuitively, 
a  fair  Petri  net  is  a  Petri  net  in  which  the  firing  of  a  prespecified  set  of  transitions  is  assumed 
to  occur  fairly,  i.e.,  any  of  these  transitions  that  becomes  Arable  infinitely  often  must  fire 
infinitely  often.  Formally,  we  define  fair  Petri  nets  as  a  subclass  of  temporal  Petri  nets  [19]. 
Temporal  Petri  nets  are  Petri  nets  whose  certain  temporal  constraints  are  given  by  formulas 
containing  temporal  operators,  such  as  O  (“eventually”)  and  O  (“always”)  [11]  [12]  [17]. 

Petri  nets  (see,  for  example,  [14])  are  widely  used  for  modeling  and  analysis  of  concurrent 
processing  systems.  The  combination  of  Petri  nets  and  temporal  logic  has  been  found  to  be 
extremely  useful  for  formal  analysis  of  such  systems  [10]  [21]  [22]  [23].  Theoretical  studies 
of  various  temporal  logic  for  Petri  nets  are  found  in  [2]  [6]  [7]  [19]  [22]  [23]. 

The  main  result  of  the  paper  is  a  structural  induction  theorem  that  can  be  used  to 
formally  infer  the  correctness  of  a  ring  of  any  large  size  from  the  correctness  of  a  ring 
having  only  a  few  components.  The  theorem  actually  gives  a  sufficient  condition  for  the 
“behavior”  of  a  ring  of  any  large  size  to  be  “similar”  to  that  of  a  ring  having  only  a  few 
components.  Specifically,  for  k  >  2  let  Rk  be  the  ring  consisting  of  k  components.  We 
define  a  concept  of  “similarity”  for  rings,  and  then  show  that  if  R2  and  R3  are  similar  in 
this  sense  and  certain  additional  conditions  are  satisfied,  then  for  any  k  >  4,  R2  and  Rk  are 
also  similar.  This,  together  with  the  “correctness”  of  R2  in  a  certain  sense,  can  be  used  to 
ensure  that  Rk  is  also  correct  for  all  A;  >  3.  Though  the  theorem  is  applicable  only  when  Rk 

is  bounded  (i.e.,  the  net  representing  Rk  has  only  finitely  many  distinct  reachable  markings) - 

for  any  k  >  2,  we  give  a  weak  sufficient  condition  for  Rk  to  be  bounded  for  any  k  >  2.  (All _ 

the  examples  we  discuss  in  the  paper  satisfy  this  condition.)  The  condition,  which  is  given  ’A&l 
using  the  concept  of  an  S-invariant  [14],  can  be  tested  easily.  In  principle,  if  R2  and  R3  are  B 
bounded  then  the  similarity  of  R2  and  R3  and  the  correctness  of  R2  can  be  tested  using  an  ce<^ 
automatic  theorem  prover.  The  usefulness  of  the  theorem  is  demonstrated  using  the  well-  on  — - 
known  examples  of  token-passing  mutual  exclusion  [16]  and  a  simple  producer-consumer 
system.  Specifically,  using  the  induction  theorem  we  prove  that  the  given  algorithms  for  — — 
these  problems  guarantee  certain  liveness  and  safeness  properties  in  Rk ,  regardless  of  the^ _ 
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value  of  k. 

The  condition  that  a  ring  is  bounded  simply  means  that  the  ring  is  a  finite  state  machine. 
Since  all  related  papers  mentioned  above  consider  only  systems  consisting  of  finite  state 
machines,  the  fact  that  our  theorem  can  be  applied  only  to  bounded  rings  is  not  a  severe 
restriction. 

Our  work  has  been  inspired  by  those  of  Kurshan  and  McMillan  [8]  and  Wolper  and 
Lovinfosse  [25]  that  present  similar  induction  theorems.  A  common  requirement  of  their 
induction  methods  is  that  the  human  verifier  must  first  find  an  “invariant”  (called  “process 
invariant”  or  “network  invariant”)  to  carry  out  the  induction.  One  difficulty  in  this  approach 
is  that  finding  such  an  invariant  is  not  always  easy  (even  if  it  exists).  The  method  given  in 
[3]  that  requires  the  establishment  of  a  “bisimulation”  between  two  systems  seems  to  suffer 
from  the  same  difficulty.  In  a  sense,  our  induction  theorem  gives  a  sufficient  condition  for 
the  existence  of  such  an  invariant  (or  bisimulation).  Whether  or  not  the  condition  of  our 
theorem  is  satisfied  can  be  tested  using  an  automatic  verifier  (if  the  ring  is  bounded)  and  if 
so,  the  theorem  assures  the  correctness  of  a  ring  of  any  size,  given  the  correctness  of  a  ring 
having  a  few  components.  There  is  no  need  for  the  human  verifier  to  find  an  invariant  to 
carry  out  the  verification.  It  should  also  be  mentioned,  however,  that  the  invariant  method 
can  be  considered  to  be  more  general  than  ours,  since  it  is  possible  that  the  condition  of 
our  theorem  does  not  hold  while  a  suitable  invariant  exists. 

The  rest  of  the  paper  is  organized  as  follows.  In  Section  2  we  review  the  basic  terminology 
of  Petri  nets  and  temporal  logic.  The  induction  theorem  is  presented  in  Section  3  and  then 
applied  to  the  verification  of  two  examples  in  Sections  4  and  5.  The  concluding  remarks  are 
found  in  Section  6. 


2  Fair  Petri  Nets 


The  material  presented  in  this  section  is  basically  the  same  as  that  given  in  Section  2  of 

[21-3- 

For  any  set  S,  S *  is  the  set  of  all  finite  sequences  of  elements  of  S,  including  the  empty 
sequence  A.  5"  denotes  the  set  of  all  infinite  sequences  of  elements  of  S.  For  a  finite  sequence 
a  £  5*  and  a  possibly  infinite  sequence  /3  £  5*U5W,  a/3  denotes  the  concatenation  of  a  and 
fi.  aft  is  an  infinite  sequence  if  /?  is  an  infinite  sequence.  a(3  is  not  defined  if  a  is  an  infinite 
sequence.  For  a  finite  sequence  a  £  5*  and  an  integer  i  >  0,  a*  denotes  the  concatenation 
of  i  copies  of  a.  a"  denotes  the  concatenation  of  infinitely  many  copies  of  a.  |a|  denotes 
the  length  of  o  £  5*.  By  convention  we  denote  the  length  |a|  of  a  £  Sw  by  u>,  where  u>  is  a 
symbol  such  that  i  <  u>  for  any  integer  i. 

A  Petri  net  is  a  directed  graph  with  two  types  of  nodes,  called  transitions  and  places, 
and  weighted  arcs  from  a  node  of  one  type  to  a  node  of  the  other  type.  Formally,  a  Petri 
net  is  given  as  a  triple  N  =  (P,T,  F)  where 

1.  P  is  a  finite  set  of  places , 


2.  T  is  a  finite  set  of  transitions,  and 


3.  F  :  (P  x  T)  U  (T  x  P)  — ♦  {0,  1,2, . . .}  is  a  weight  function. 

A  place  p  £  P  is  called  an  input  place  (or  output  place)  of  a  transition  t  £  T  if  F(p,t)  >  1 
(or  F(t,p)  >  1).  Any  function  M  :  P  — *  {0, 1,2,...}  is  called  a  marking.  A  place  p  is  said 
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to  have  M(p 1  ’-ms  at  a  marking  M.  A  transition  t  G  T  is  said  to  be  firable  at  M  iff 
M(p)  >  f'iv  every  p  €  P.  If  t  is  firable  at  M,  then  it  may  fire  and  yield  another 

marking  M '  that  M'(p)  =  M(p)  —  F(p,t)  +  F(t,p)  for  every  p  G  P-  We  denote  this 

by  M  M1.  This  relation  is  extended  by 

1.  M  M  and 

2.  M  -*at  M'  iff  there  exists  M"  such  that  M  — >0  M"  and  M"  — »t  M' 

for  all  M,  M',  a  G  T*  and  t  €.  T.  If  M  —+a  M'  then  M'  is  said  to  be  reachable  from  M 
by  a  finite  firing  sequence  a.  L(N,M )  denotes  the  set  of  ail  finite  firing  sequences  from 
M.  An  infinite  sequence  a  £  Tw  is  an  infinite  firing  sequence  [24]  from  M  if  /?  G  L(N,M ) 
for  every  prefix  fi  of  a.  We  den''*®  by  L“(N,M)  the  set  of  infinite  firing  sequences  from 

M .  Let  L°°(N,M)  =  L(N,M  v  *’ ,M)  denote  the  set  of  all  (both  finite  and  infinite) 
firing  sequences  from  M.  Petr.  .»  v  ^  structurally  bounded  if  for  any  marking  M,  there 
are  only  finitely  many  distinct  m'-rk  g_  reachable  from  M.  Usually  an  initial  marking  is 
associated  with  a  Petri  net. 

We  draw  a  Petri  net  using  a  circle  ana  a  square  to  represent  places  and  transitions, 
respectively.  An  arc  with  weight  F(p,t )  (or  F(t,p))  is  drawn  from  p  to  t  (or  from  t  to  p)  if 
F(p,t )  >  1  (or  F(t,p )  >  1).  The  weight  is  omitted  if  it  is  1.  A  marking  M  is  represented 
by  drawing  M(p)  dots  in  (the  circle  representing)  p.  Examples  of  Petri  nets  are  found  in 
Section  3. 

A  temporal  Petri  net  [19]  [22]  is  a  pair  ( N,f )  where  N  =  ( P,T ,  F)  1,  a  Petri  net  and  / 
is  a  formula.1  The  formula  /  is  regarded  as  a  restriction  on  the  possib.e  firing  sequences  of 

N.  For  a  marking  M,  we  denote  by  )  the  set  of  firing  sequences  a  G  L°°(N,M) 

such  that 

1.  a  is  either  infinite,  or  finite  and  terminating  in  the  sense  that  there  is  no  transition 
t  G  T  such  that  at  G  L(N,  M),  and 

2.  a  satisfies  /. 

The  first  condition  given  above  implies  that  the  net  is  assumed  to  make  progress  whenever 
possible.  In  this  paper  we  only  consider  formulas  having  the  form 

f(T')  =  A  ((qO  T  t)  D  (not)),  (1) 

<€T' 

where  T'  C  T  is  a  subset  of  transitions.  We  call  such  f(T')  an  f-formula ,  where  ‘f  ’  stands  for 
“fairness,”  since  an  infinite  sequence  a  satisfies  f[T')  iff  every  t  G  T'  that  becomes  firable 
infinitely  often  (□<>  \  t)  in  a  fires  infinitely  often  (OOf)  in  a.  The  transitions  in  T  -  V 
need  not  be  fired  fairly.  For  example,  if  we  wish  to  allow  the  system  to  issue  a  request  for 
entering  the  critical  section  only  a  finite  number  of  times,  then  the  transition  representing 
the  action  of  making  such  a  request  may  be  excluded  from  V .  We  call  a  temporal  Petri  net 
having  a  formula  of  the  form  (1)  a  fair  Petri  net. 

Let  £(N,  M,  /)  be  the  set  of  all  prefixes  of  the  sequences  in  £( N,  M,  /). 

Lemma  1  If  f  is  an  f-formula,  then  £(N ,  M,  /)  =  L{ N,  M). 

'See  [19]  [21]  [22]  for  a  formal  discussion  on  the  formulas. 
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Figure  1:  A  component  having  one  interface  transition  on  each  side. 

Proof  Clearly  )  C  L(N,M).  Since  /  is  an  f-formula,  for  any  a  £  L(N,M) 

there  exists  some  (3  such  that  a/3  £  C(N,  M,  /),  and  hence  a  £  C(N,M,f).  Therefore 
C(N,  M,  f)  D  L(N,  M).  □ 

3  Structural  Induction  on  a  Ring 

In  this  section,  we  present  a  structural  induction  theorem  that  can  be  used  to  prove  the 
correctness  of  rings  of  many  similar  components  that  are  modeled  as  fair  Petri  nets.  It  is 
well-known  that  such  induction  is  not  always  possible  [1]  [20].  The  theorem  presented  here 
gives  a  sufficient  condition  under  which  the  correctness  of  a  ring  of  any  large  size  can  be 
inferred  from  the  correctness  of  rings  having  only  a  few  components. 

Definition  1  A  component  is  a  Petri  net  C  =  ( P,T,  P )  in  which  the  set  T  of  transitions 
can  be  partitioned  as  T  =  Tl  U  T\  U  Tr  such  that  |Tl|  =  |Tr|  >  1.  The  transitions  in 
Tl,  T\  and  Tr  are  called  left  interface  transitions ,  internal  transitions  and  right  interface 
transitions ,  respectively. 

Figure  1  shows  a  component  having  one  left  interface  transition  u\ ,  one  right  interface 
transition  toi,  one  internal  transition  v\,  and  two  places  pi  and  p2- 

We  connect  two  or  more  components  to  form  either  a  chain  or  a  ring  by  merging  the 
interface  transitions  of  different  components.  The  internal  transitions  of  a  component  do 
not  directly  participate  in  the  communication  with  other  components.  Formally,  we  have 
the  following  definitions. 

Definition  2  Let  C  =  ( P,T,  P )  be  a  component  having  places  P  =  {pi,...,pn},  left 
interface  transitions  Tl  =  {ui,...,uTO},  internal  transitions  T\  =  {t>i, . . .,  v4},  and  right 
interface  transitions  Tr  =  {wi, . . .,  u>m},  where  T  =  Tl  U  T\  U  Tr.  For  each  i  >  0,  C,  = 
( P{,T{ ,  Fi)  denotes  the  Petri  net  having  the  same  structure  as  C  in  which 

1.  each  p}  is  renamed  ptJ,  P,  =  {pi,i, 

2.  each  Uj  is  renamed  T,,L  =  — ,  *«— i.m}, 

3.  each  u,  is  renamed  vitj,  T.j  =  ..  .,u<,»}> 

4.  each  w}  is  renamed  titj,  Tt, r  =  {ti>u . .  .,ti>m}, 
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Figure  2:  (a)  Co  ®  Ci,  (b)  R2  —  Co  0  Ci  and  (c)  A3  =  CQ  0  Ci  ®  C2  consisting  of  the 
component  of  Figure  1 . 

and  T,  =  TtiiJUT’tiiUT,]R.  F,  is  identical  to  F  under  the  renaming  given  above.  For  0  <  i  <  j, 

Ci  0  Ci+1  ©  •  •  •  0  Cj  =  (  U  Pi,  U  Tt,  U  Ft) 

i<l<j  '<t<J  «</<j 

denotes  the  chain  consisting  of  Ci,  C,+ 1, . . . ,  Cj.  (Note,  for  example,  that  C.’s  right  interface 
transitions,  Ut\ , . .  have  the  same  names  as  the  left  interface  transitions  of  C,+i .  So 

in  C,  0  C,+i  0  •  ■  •  0  Cj,  Ci  and  Cj+i  are  connected  through  t^i,. .  - , <i,m -)  For  each  k  >  2, 

=  Co  ©  C,  ©  •  •  •  ©  Ck-i  =  (  (J  |J  ^  U  F*) 

0<e<k-\  0<l<k-l  0<l<k-l 

where  all  subscripts  are  taken  modulo  k,  denotes  the  ring  consisting  of  Co,Cj,. .  .,Cjt_i. 

See  Figure  2  for  illustration.  (Ignore  the  tokens  at  this  time.)  Chain  C,©C1+i  ©•  •  -  ©Cj 
is  viewed  as  a  new  component  having  left  interface  transitions  Tt> l  and  right  interface 
transitions  TjjR.  The  symbol  “0”  in  Co  ©  Ci  ©  •  •  •  ©  Cyt— i  can  be  viewed  as  an  operator 
that  closes  the  chain  Ci  ©  •  •  •  ©  Ck- 1  into  a  ring  using  Co,  where  ©  has  precedence  over  0. 
All  subscripts  are  taken  modulo  k  when  we  discuss  Rk.  So  for  example,  the  left  interface 
transitions  of  Co  in  Rk  are  . .  .,<fc_ i,m»  and  C3©C4©C5@Co©Ci  is  the  chain  embedded 
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in  Re  consisting  of  C3,  C4,  C5,  Co  and  C’i-  For  each  0  <  *  <  k  —  1,  we  let  /,  =  {<1,1 ,  •  - . ,  <t>m} 
denote  the  set  of  interface  transitions  between  C,  and  CI+| .  The  internal  transitions  of  C, 
and  the  interface  transitions  in  /,_]  U  /,  are  said  to  belong  to  C\.  An  interface  transition 
thus  belongs  to  two  components. 

Since  Co,  C\, . . . ,  Ck-i  are  copies  of  C,  a  marking  of  Rk  can  simply  be  described  as  a 
tuple  (Mo,  Mi,. . .  ,Mfc_i),  where  each  M,  is  a  marking  of  C,  so  that  the  number  of  tokens 
in  ptiJ  of  C,  is  given  by  We  assume  that  all  components  of  a  ring  except  possibly 

Cq  have  the  same  initial  marking.  As  is  the  case  with  token-passing  mutual  exclusion  [16], 
it  is  sometimes  necessary  that  we  break  symmetry  by  assigning  a  different  initial  marking 
to  one  component.  Thus  for  some  markings  M  and  M'  of  C ,  we  let 

Mk  =  (M, 

fc-i 

be  the  initial  marking  of  Rk  in  which  Cq  has  marking  M  and  C’i,.  .  -,Ck- 1  have  M' . 

To  ensure  that  the  fairness  requirement  is  imposed  on  an  identical  set  of  transitions  at 
every  component  of  a  ring,  we  take  Tk  to  be  a  set  of  transitions  of  Rk  such  that 

1.  for  each  1  <  j  <  s,  either  G  Tk  for  all  0  <  i  <  k  —  1  or  vt<J  £  Tk  for  all  0<»<Ar  —  1, 
and 

2.  for  each  1  <  j  <  m,  either  tx%]  G  Tk  for  all  0  <  i  <  k  -  1  or  #  Tk  for  all 
0  <  t  <  k-  1, 

and  then  let  fk  =  f(Tk )  be  an  f-formula  for  Rk  having  the  form  (1).  For  a  transition  t,  we 
say  that  a  G  L°°{Rk ,  Mk)  is  t-legal  if  either  it  is  infinite  and  satisfies  ((□<>  f  t)  D  (DOt)), 
or  it  is  finite  and  terminating,  a  is  said  to  be  legal  at  Ci  if  it  is  Megal  for  all  transitions 
t  G  Tk  that  belong  to  Ct.  Note  that  a  belongs  to  C(Rk,Mk,fk )  iff  a  is  legal  at  every  Ci. 

In  the  following,  sets  L(Rk,Mk),  Lw(Rk,Mk),  L°°(Rk,  Mh)  and  £{Rk,Mk,fk)  are  sim¬ 
ply  written  as  L(k),  L“(k),  L°°(k)  and  C(k),  respectively.  For  convenience,  we  use  “Rk”  to 
refer  to  either  the  Petri  net  Rk  alone  or  the  tuple  (Rk,  Mk ,  fk),  depending  on  the  context. 
There  will  be  no  confusion. 

Remark  1  Since  the  initial  marking  M  of  Co  can  be  different  from  those  (M')  of  C\, . . .  ,Ck-\, 
Co  can  behave  completely  differently  from  C 1 , . . . ,  Ck-i  ■  Thus  many  of  the  results  presented 
below  can  be  extended  to  the  case  when  the  structure  and  formula  of  Co  are  different  from 
those  of  Ci, . .  .,Ck-\-  In  this  paper,  we  assume  that  Co  is  the  same  as  other  components 
for  simplicity  of  presentation. 

Lemma  2  If  R2  is  structurally  bounded,  then  for  any  k  >  3,  Rk  is  structurally  bounded. 

Proof  The  proof  is  found  in  Appendix  A.  □ 

A  place  of  a  component  that  is  an  input  place  of  a  left  (or  right)  interface  transition 
is  called  a  left  (or  right)  interface  place  of  the  component.  Since  a  chain  C,  ©  •  •  •  ®  C}  is 
viewed  as  a  component,  its  left  (or  right)  interface  places  are  the  left  (or  right)  interface 
places  of  C,  (or  C'} ) . 
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Definition  3  Let  p, p,L  and  pJX, . . p]R  be  the  left  and  right  interface  places  of  C, 
respectively,  where  1  <  ii  <  ••  •  <  it  <  n  and  1  <  j,  <  ■■■  <  jr  <  n.  Then  for  a  chain 
Ca  ©  Ca+ \  ©  •  •  •  ©C&  of  length  at  most  k  -  1  within  Rk  and  a  marking  (Mo,  Mi,...,  Mk-\), 
the  firability  vector  of  Ca  ®  Ca+ 1  ©  •  •  •  ©  Cb  at  (M0,  M i , . . . ,  Mk-\ )  is  the  column  vector 

Ma_i  (pj, ) 

Ma-l  (P3R) 

Ma(Pn) 


Ma(plL) 

MbiPh) 

Mh{pJR) 

Mb+i(Pu) 

Mb+i{p,L) 


Whether  or  not  an  interface  transition  (in  Ia_i  U  Ib )  of  chain  Ca  ©  Ca+\  ©  •  •  •  ©  Cb  is 
Arable  at  marking  (Mo,  Mi, . . . ,Mk-\ )  can  be  determined  by  examining  the  firability  vector 
of  Ca  ©  Ca+\  ©  •  •  •  ©  Cb  at  that  marking. 

Definition  4  Let  a  =  ..  .ti .. .  6  L°°(k )  be  a  firing  sequence  such  that  for  each  0  < 

i  <  |a|,  Mk  Mk.  (Thus  Mk  =  Mq.)  For  an  index  0  <  a  <  k  —  1,  let  V±  be  the 

firability  vector  of  Ca  at  Mk.  The  extended  local  history  of  Ca  in  a,  denoted  ( Ca)a ,  is  the 
sequence  obtained  from  ...  by 

1.  deleting  all  transitions  that  do  not  belong  to  Ca, 

2.  replacing  every  remaining  vaj  and  by  u},  v3  and  w0,  respectively,  and  then 

3.  replacing  every  maximal  substring  of  identical  vectors  Vi,  V,2  . . .  Vt,  by  a  single  occur¬ 
rence  of  K  ,  • 

The  local  history  of  Ca  in  a,  denoted  (( Ca))a ,  is  the  firing  sequence  obtained  from  ( Ca)a 
by  deleting  the  firability  vectors. 

<(C.»a  is  the  firing  sequence  of  C  corresponding  to  the  portion  of  a  that  occurs  in  Ca. 
( Ca)a  is  (( Ca))a  together  with  the  information  on  all  the  changes  in  the  firability  vector  of 
Ca.  We  define 

hH  =  ((Co)a,(Ci)Ct,...,(Ck.i)a). 

In  the  following,  if  a  is  legal  at  Ca,  then  we  say  that  { Ca)a  (or  {(Ca))a)  is  legal. 

Definition  5  For  an  index  0  <  a  <  k  —  1  and  a  firing  sequence  a  €  L°°(k ),  the  externally 
visible  history  of  Ca  in  a,  denoted  [Ca]a,  is  the  sequence  obtained  from  ( Ca)a  by 
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1.  deleting  all  the  internal  transitions  of  C,  and  then 

2.  replacing  every  maximal  substring  of  identical  vectors  Vtl  Vl2  . . .  Vu,  if  any,  by  a  single 
occurrence  of  VH . 

[Ca]a  is  the  firing  sequence  of  the  interface  transitions  of  C  corresponding  to  the  portion 
of  a  that  occurs  in  Ca,  together  with  the  information  on  all  the  changes  in  its  firability 
vector.  Since  a  chain  is  viewed  as  a  component,  we  extend  the  concept  of  externally  visible 
history  of  a  single  component  to  that  of  a  chain.  Thus  for  chain  Ca  ©  Ca+ \  ©  •  •  •  ©  C&  and 
a  €  L*=(k), 

[Ca  ©  Ca+ 1  ©  •  •  ■  ©  C(,]a 

is  the  sequence  showing  the  firing  of  its  interface  transitions  in  /a_i  U  h  and  all  the  changes 
in  its  firability  vector.  (Note  that  we  use  (( Ca))a  to  denote  the  firing  sequence  of  C  cor¬ 
responding  to  the  transition  firings  in  Ca  in  a,  and  thus  (( C„  ©  Ca+ j  ©  •  •  •  ©  Cb ))a  is  not 
defined  unless  the  chain  consists  of  a  single  component.  Similarly,  ( Ca  ©  Ca+i  ©  •  •  ■  ©  Cb)a 
is  not  defined  unless  the  chain  consists  of  a  single  component.) 

Example  1  Consider  rings  Rk  consisting  of  the  component  of  Figure  1 .  Assume  that  at  the 
initial  marking  Mk,  place  po.i  (the  copy  of  pi  in  Co)  has  one  token  and  all  other  places  are 
token-free.  Figure  2  shows  R 2  and  R 3  with  their  initial  markings.  Since  no  two  transitions 
share  an  input  place,  the  fairness  requirement  is  redundant.  That  is,  we  can  take  Tk  =  0 
and  fk  =  f(Tk )  =  true.  Then  the  only  firing  sequence  in  £(2)  is 

a  =  (?>o,  iio,  i  v\,  1*1,1  T- 
The  firability  vectors  of  C0  have  the  form 

x 

y 

where  x  and  y  are  the  token  counts  of  interface  places  pj  2  and  po,2>  respectively.  It  is  easy 
to  show 

(Co)a  =  (  o  Ul  1  0  0  U^' 

({Co))a  =  (vjuqu,)" 

and 

f  o  0  0  1  1 

[Co|»  =  ([° J l 1  r' i° J M“'  ' 

In  R3,  the  firability  vectors  of  Co  show  the  token  counts  of  interface  places  ^2,2  and  p0  2. 
The  only  firing  sequence  in  C( 3)  is 

P  =  (u0,l<0, 1^1, lfl,lU2, 1*2,1  )W 

and  the  reader  can  verify  that  ( C0)a  =  {Co)0,  ({ C0))o  =  ((Co))^  and  [C0]o  =  [C0]p.  □ 
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Lemma  3  Let  a  €  L™(k)  and  t3  6  L°°(f)  be  firing  sequences  such  that  for  some  0  <  a  < 
b  <  k  -  1  and  0<c<d<(  —  1, 


[(’a  ©  Ca  +  i  0  '  '  '  ©  =  [(T’c  $  Ct-+i  ©  •  '  •  ©  Ok<- 

Let  J  =  c  +  (b  -  a  +  1)  +  {t  —  1  —  d)  —  (  +  (c  -  d)  +  (b  -  a).  Then  there  exists  a  firing 
sequence  7  G  L<X,(J)  such  that 


Hit)  ~  ((Co)*?,  ■ 


•  •  ,  (Cc-i)p,  (Ca)a, . . (C(,)Q,  {C  d+i)p,  ■  ■  ■ ,  (C t-\)p)- 

- - '  ' - ^ - "  > - V - ' 

c  i-a  +  1  f-l-d 


Proof  We  only  give  an  outline.  Suppose  that  we  construct  a  ring  of  size  J  by  connecting 
C’a  ®  Ca+1  ®  ■  •  •  ©  C t>  of  R k  and  Cd+\  ®  •  ■  •  ®  Ct—\  ©  Co  ©  ■  •  -Cc~\  of  Rf .  Since  [ C’a  © 
Ca+i  ©  ■  •  •  ©  C{,]0  =  [Cc  ©  Cc+ 1  ©  -  -  •  ®  Cd\p,  we  can  fire  the  transitions  in  a  that  belong  to 
Ca©Ca+i  ©■  •  ©Cj,  and  the  transitions  in  (3  that  belong  to  Cd+\ ©•  •  -©C/_i  ©Co©-  •  -©Cc-i 
in  such  a  way  that  (a)  the  interface  transitions  between  Cc_j  and  Ca,  and  between  C&  and 
Ca+i,  are  fired  simultaneously,  and  (b)  the  token  counts  of  the  input  places  of  the  interface 
transitions  between  Cc-\  and  Ca,  and  between  Cb  and  Cj+ 1,  change  in  the  same  manner 
as  those  of  the  input  places  of  the  interface  transitions  in  7a_i  U  h  in  a.  The  resulting 
sequence  7  is  a  firing  sequence  in  L°°(J )  satisfying  the  condition  on  h(^f)  given  above.  □ 

Recall  that  C(k)  is  the  set  of  firing  sequences  a  in  Rk  from  Mk  satisfying  fk ,  i.e.,  a  is 
legal  at  every  C,.  For  each  0<:<A:-l,we  denote  by  C^i(k)  the  set  of  firing  sequences 
q  €  L°°(fc)  that  are  t-legal  for  all  transitions  t  of  Rk  except  possibly  the  internal  transitions 
of  Ct.  Such  a  may  or  may  not  be  legal  at  C,. 

Definition  6  Rk  =  CoQCiffi-  •  -ffiCjt-i  and  Rl  =  CoOCj  ©•  •  -®Cz_i  are  similar ,  denoted 
Rk  ~  Re,  if 

1.  {(Co)Ja  €  C(k)}  =  {(C0»  6  £(€)}  and 

2.  {(C,)Ja  €  C(k)}  =  {{Cj)Q|a  €  £(f)}  for  any  1  <  i  <  k  —  l  and  1  <  j  <  £  -  1. 

Definition  7  Rk  =  C0OC1  ©•  •  -®C*_i  and  Re  =  CoOCi  ©•  -  -©C/_i  are  strongly  similar, 
denoted  Rk  %  Rl ,  if 

1-  {<C0)>  €  £-4*0}  =  {(Co)Ja  €  £-,o(0)  ^d 

2.  {(C,)Ja  e  £-,,(£)}  =  {{C,)Ja  €  for  any  1  <  i  <  k  -  1  and  1  <  j  <  £  -  1. 

Intuitively,  if  Rk  ~  Rl ,  then  as  long  as  the  components  behave  legally,  none  of  the  copies 
of  C  knows  which  of  Rk  and  Rl  it  is  in,  and  none  of  the  copies  of  C  other  than  Co  knows 
which  copy  of  C  it  is.  The  strong  similarity  Rk  «  Rl  assures  that  the  same  is  true  for  any 
copy  of  C  that  may  violate  the  f-formula  for  its  internal  transitions,  as  long  as  all  other 
components  behave  legally.  Note  that  Rk  «  Re  implies  Rk  ~  Rl . 
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Figure  3:  A  component  having  one  place. 
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Figure  4:  (a)  ft 2  and  (b)  ft3  consisting 


Example  2  We  have  seen  that  rings  R2  and  R3  given  in  Example  1  satisfy 

{<Co)>  €  A2)}  =  {{Co>>  e  £(3)}. 

Using  a  similar  argument,  we  can  also  show  that 

{<C,»  €  £(2)}  =  {(C})Ja  e  £(3)} 

for  j  —  1,2.  Thus  R2  ~  R3.  We  leave  it  to  the  reader  to  verify  that  in  fact,  R2  ~  Rk  holds 
for  any  k  >  3.  Furthermore,  since  Tk  -  0,  £-,<(£)  =  C{k)  for  any  0  <  i  <  k  -  1.  Therefore 
R2  ~  Rk  implies  R2  v  Rk.  □ 


Example  3  Consider  rings  R2  and  R3  shown  in  Figure  4  consisting  of  the  component  of 
Figure  3.  Assume  that  at  the  initial  marking,  place  po,i  has  one  token  and  all  other  places 
are  token-free.  As  in  Example  1,  take  Tk  =  0,  and  thus  fk  -  f{Tk)  =  true.  The  only 
firing  sequence  in  £(2)  is 

°  =  (*o,i*i,i)w 


with 


{Co)a  =  ( 


ui)w. 


where  the  firability  vectors  of  Co  show  the  token  counts  of  interface  places  pi,i  and  po.i-  As 
for  ft3,  the  only  firing  sequence  in  £(3)  is 


a  -  (*0, 1*1, 1*2,1 )“ 


with 


{Co)0  =  ( 


’  0  ' 

'  0  ' 

1  ' 

1 

0 

0 

u,r, 
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Figure  5:  Component  C  such  that  ft 2  ~  ft3  but  ft2  56  R3 . 

where  the  firab:,ity  vectors  of  Co  show  the  token  counts  of  interface  places  ^2,1  and  p0,i- 
Since  (Co)a  ^  \^o)p,  we  have  ft2  /  R3.  On  the  other  hand,  it  is  easy  to  show  that  R 3  ~  Rk 
holds  for  any  k  >  4.  Since  Tk  =  0,  this  implies  that  R 3  «  ftfc  for  any  k  >  4.  We  leave 
details  to  the  reader.  □ 

Example  4  Figure  5  shows  a  component  C  such  that  R2  ft3  but  R2  96  R3.  Tk  is  the  set 
of  all  transitions  in  Rk.  Initially,  Co  has  a  token  in  P2  and  p 3.  (Strictly,  we  should  say  that 
Co  has  a  token  in  po,2  and  po,3>  that  are  the  copies  of  P2  and  p^  in  Co-  For  convenience,  in 
this  example  we  use  the  original  names  in  C  to  refer  to  places  and  transitions  of  C,.)  All 
other  components  Cx  have  a  token  only  in  P3.  Intuitively,  the  components  keep  circulating 
the  token  that  is  initially  in  p2  of  Co,  using  u 2,  V3  and  W2,  and  later  using  U2,  v4  and  iu2 
since  v2Wi  should  eventually  fire  to  satisfy  the  fairness  condition,  unless  U]V\  fires.  Suppose 
that  in  ft3,  Co  violates  fairness  and  fires  v^W2{u2V^W2)w ■  C\  and  C2  can  still  continue  to 
circulate  the  token  indefinitely  without  violating  fairness,  by  firing  V2W \  in  C\  and  U\Vi  in 
C 2  and  thus  moving  the  token  in  p^  to  p4  in  both  components.  (Note  that  wj  of  C\  is  the 
same  as  U]  of  C 2.)  In  ft2,  however,  if  Co  violates  fairness  and  fires  V3W2{u2V3W2)w ,  then  C\ 
eventually  fires  v2  (to  satisfy  fairness)  but  it  cannot  fire  w\,  since  w4  of  C 1  is  the  same  as 
«]  of  Co  and  Co  never  fires  u\.  So  wi  of  C\  remains  Arable  forever  and  never  fires,  and  thus 
fairness  is  violated  at  C\.  A  formal  analysis  based  on  this  observation  shows  that  ft2  56  ft3. 
The  fact  that  such  a  scenario  cannot  happen  if  all  components  behave  fairly  is  the  basis  for 
proving  ft2  ~  ft3.  We  leave  details  to  the  reader.  □ 

The  main  goal  of  this  section  is  to  prove  the  next  theorem  that  can  be  used  to  prove 
the  correctness  of  rings  consisting  of  an  arbitrary  number  of  copies  of  C. 

Theorem  1  If  ft2  is  structurally  bounded  and  ft2  =s  ft3,  then  ft2  ~  Rk  for  any  k  >  3. 

We  need  the  following  lemmas  to  prove  this  theorem. 

Lemma  4  If  ft2  ft3  and  ft2  ~  Rk  for  some  k  >  3,  then  whenever  either  i  =  j  =  0  or 
both  1  <  i  <  k  —  1  and  1  <  j  <  k, 

{<C,»  €  £(*)}  C  {(Ci)a\a  6  C(k  +  1)}. 
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Proof  Since  R 2  ~  Rk  implies  that  the  sets  {(C'i)Q|o  6  C(k)}  are  all  identical  for  1  <  i  < 
k  -  1,  it  suffices  to  show  that  for  any  a  €  £(£),  where 

h(a)  =  ((C0)a,(Ci)a,...,(Ck-l)a), 

there  exist  P  and  /?'  6  C(k  +  1)  such  that 

m  =  «Co)a,  <C,)a,  . . . ,  <Cfc_2)Q,  (C*_, )0,  (Ck)0)2 

[Cfc  —  l]a 

and 

HP)  =  ((CoV,  (C,)^,  (C,)af  <C2)a, . . . ,  <C7*_.)  j. 

' - v - ' 

[Colo 

In  the  following  we  show  the  existence  of  such  /?.  The  argument  for  fi'  is  similar  and  is  thus 
omitted.  Since  R2  ~  Rk,  there  exists  7  €  £( 2)  such  that 

M7)  =  (  (Co), 

Since  fl2  ~  i£3,  there  exists  £  €  £(3)  such  that 

M«)  =  «Co>7,<C,),,(C2)5). 

[C*_,]a 

Since  [Cfc_i]a  =  [ C\  ©  C2]s,  by  Lemma  3  there  exists  e  £  L°°(k  +  1)  such  that 

m  =  «Co)Q,  .  ■.,(Cfc-2)a,(C1)„(C2)5). 

[Cjk-llo 

Since  all  elements  of  h(c)  are  legal,  e  satisfies  /fc+1.  Therefore  e  6  £(fc  +1).  □ 

Remark  2  The  proofs  of  Lemmas  3  and  4  do  not  use  the  assumption  that  /  is  an  f-formula. 
In  fact,  the  two  lemmas  are  true  for  an  arbitrary  formula  /,  as  long  as  the  legality  of  any 
a  is  determined  only  by  the  legality  of  the  elements  of  h(a). 

Lemma  5  Let  t  be  a  left  (or  right)  interface  transition  of  Ci  of  R2  or  R3.  If  R2  ~  R3, 
then  a  firing  oft  does  not  change  the  token  counts  of  the  right  (or  left)  interface  places  of 

Ci. 

Proof  We  consider  the  case  when  t  is  a  left  interface  transition  of  C\  of  R3.  Other  cases 
are  similar.  Take  any  at  £  £(3).  Since  R 2  ~  R3,  there  exists  fit  £  £(2)  such  that 
(Co)Qt  =  (Co)0t.  Suppose  that  the  firing  of  t  in  at  changes  the  token  counts  of  the  right 
interface  places  of  C\  of  R3.  Then  the  firing  of  t  in  (it  changes  the  token  counts  of  the  right 
interface  places  of  C\  of  R2,  since  C\  has  the  same  structure  in  R2  and  R3.  Then,  since 
(Co )at  =  (Co)pt  implies  (Co)0  =  (Co)0,  the  firing  of  t  in  at  should  also  change  the  token 
counts  of  the  right  interface  places  of  C2  of  R3.  But  this  is  impossible,  since  t  does  not 
belong  to  C2.  □ 

2The  underbrace  indicates  that  [C*_i  ©  Cj, js  =  [C*_i]a.  Although  this  relation  is  implied  by  the  forms 
of  h( or)  and  h(0),  we  use  this  notation  to  improve  readability. 
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Lemma  6  If  R2  ~  R3  and  R2  ~  Rk  for  some  k  >  3,  then  for  any  a  G  L(k  +  1),  where 

M«)  -  «Co)a, <c,>al . . <C*_2)a, <Cfc_,)a, <C*>  J, 

there  exists  0  G  L(fc)  suc/i  £/ial 

M/9)  =  ((C0>„,(C1)a,...,(Cfc_2)o,  ).  (2) 

- - v - / 

[C*-l  ©Cfc]a 


Proof  The  proof  is  by  induction.  If  a  =  A,  then  0  =  A  G  L(fc)  satisfies  equation  (2) 
since  both  in  Rk  and  Rk+1 ,  initially  Co  has  marking  M  and  all  other  copies  of  C  have  M' . 
Assume  that  for  some  a  G  L(fc  +  1)  such  that  at  €  L(k+  1),  there  exists  0  €  L(fc)  satisfying 
equation  (2).  There  are  three  cases. 

Case  1:  t  is  an  internal  transition  of  Co  ®  Ci  ©  •  *  •  0  Ck-2- 

Clearly  t  is  firable  in  Rk  after  0,  i.e.,  0 1  G  L(k).  Since  a  firing  of  t  can  change  the 
token  counts  of  the  places  in  Co  ®  C\  ®  •  •  •  0  Ck-2  only,  and  the  changes  are  identical 
in  Rk  and  Rk+1 ,  0t  has  the  property 

hm  =  ((Co)at,(Ci)at,...,(Ck-2)at,  ( Ck-i)0t  )- 

N.  - 


Case  2:  t  G  Ik-2  U  Ik- 

Consider  the  case  when  t  G  Ik-2,  i-e-?  <  =  for  some  1  <  j  <  m.  Since  [Ck- \\p  = 
[Cfc_i  ®  C/t]a,  we  have  0t  G  L(k).  Now  we  prove  that  [Ck-\]pt  =  [Cjt-i  ®  Ck]at-  A 
firing  of  t  changes  the  token  counts  of  the  right  (or  left)  interface  places  of  Ck-2  (or 
Ck-i)  in  the  same  way  in  Rk  and  Rk+1 ,  and  it  does  not  change  the  token  counts  of 
the  left  interface  places  of  Co  in  either  ring  sine,  t  does  not  belong  to  Co-  Also,  it  does 
not  change  the  token  counts  of  the  right  interface  places  of  Ck  of  Rk+1  since  t  does  not 
belong  to  Ck-  It  remains  to  be  shown  that  the  token  counts  of  the  right  interface  places 
of  Ck-i  of  Rk  do  not  change  by  a  firing  of  t.  This  follows  from  Lemma  5  and  the  fact 
that,  by  Lemma  1  and  R2  ~  Rk,  there  exists  7 1'  G  L( 2)  such  that  (Ck- i)pt  —  (Ci)^t,, 
where  t'  =  <o,j  is  the  interface  transition  of  C\  in  R2  corresponding  to  t  of  Ck  in  Rk. 
Therefore 

fc(/3t)  =  ((C0)af,(C1>al,...,<Cfc_2)al>  (Ck-i)0t  )- 

[C'*_1©Cfc]Q( 

The  argument  for  the  case  when  t  G  h  is  similar. 

Case  3:  t  is  an  internal  transition  of  Ck- 1  ®  Ck- 

By  Lemma  1  and  the  assumption  that  R 2  ~  Rk,  there  exists  7  G  L( 2)  such  that 

h{l)  =  ((Co)^(Ck-x)0). 

Then  since  [Ck-\\(3  =  [Ck- 1  ®  C/t]a,  by  Lemma  3  there  exists  <5  G  L( 3)  such  that 

m  =  «co>,,<cfc_i)fi,<cfc)4) 

=  ((C0)7,  (Ck-i)a,  (Cfc)Q). 
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Let  t'  be  the  internal  transition  of  C\  (J)  C 2  in  R3  corresponding  to  t,  i.e.,  either 
t  =  tk- i,j  and  t'  =  t\>:  for  some  1  <  j  <  m,  or  t  =  ojt-i.j  and  t'  =  vltJ  or  t  =  and 
t'  =  U2,j  for  some  1  <  j  <  s.  Then  since  at  G  L(k  +  1),  we  have  6t'  G  L( 3)  where 


Since  l?2  ~  fl3,  there  exists  £  G  Z,(2)  such  that 

MO  =  «c0>«„  (CU  )• 

[t-t  —  lffit-klal 

Since  [Ci]<  =  [Ck- 1  ®  Cfc]at,  by  Lemma  3  there  exists  (  6  L(k)  such  that 

KO  =  ((Co)aV(Ci)Qt,...,(Ck-2)at,  <£U  )• 

[Cfc  — 1  ©C’fcjat 

This  completes  the  induction.  □ 

Lemma  7  If  R2  is  structurally  bounded,  R2  ~  A3  and  #2  ~  /?*  /or  some  k  >  3,  t/ien 
whenever  either  i  =  j  =  0  or  both  l  <  i  <  k  ~  l  and  1  <  j  <  k, 

{(C,)Ja  €£(*)}  2  {(<?;»  €£(*  +  !)}. 


Proof  Since  fZ2  ~  implies  that  the  sets  G  £(fc)}  are  all  identical  for  1  <  i  < 

k  -  1,  it  suffices  to  show  that  for  any  a  G  C(k  +  1),  where 

h(a)  =  «C0)a,  <C,)a,  (C2)a, . . . ,  (Cfc_2)a,  (Cfe_t)a,  <C*)a), 

there  exist  0  and  /?'  G  jC(^)  such  that 

M/3)  =  «Co)a,(Ci)0,...f(Cfc_2)a,  (Cfc-i)^  )  (3) 

(Cfc_,®Cfc]a 


and 

h{0')  =  (  (Co)pi  ,(C2)a,...,(Ck-i)a,{Ck)a). 

[CoQCi]a 

In  the  following  we  show  the  existence  of  such  0.  The  argument  for  0'  is  similar  and  is  thus 
omitted. 

First,  we  show  that  there  exists  7  G  L°°(k)  such  that 

h(7)  =  ((C0)a,(Cl)a,...,(Ck-2)a,  (Cjfc_,)7  ).  (4) 

' - V - " 

Sequence  7  is  just  like  0  of  equation  (3),  except  that  it  may  not  be  legal  at  Ck-i-  There 
are  two  cases. 
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Case  1:  In  a,  (a)  the  interface  transitions  in  Ik-?  U  /*  fire  only  a  finite  number  of  times 
and  (b)  the  token  counts  of  the  interface  places  of  Cfc_i  0  Ck  change  only  a  finite 
number  of  times. 

Let  c*i  €  L(k  +  1)  be  the  shortest  sequence  such  that  (a)  a  =  Qia2,  (b)  the  interface 
transitions  in  Ik-2^h  do  not  fire  in  <*2,  and  (c)  the  token  counts  of  the  interface  places 
of  Ck-i  0  Ck  do  not  change  in  a2.  Let  o'  =  Qia?2  G  L°°(k  +  1)  be  the  sequence  that 
is  identical  to  a  except  that  no  transition  in  Ck- 1  ©  Ck  fires  after  at.  By  Lemma  6, 
there  exists  fit  G  L(k)  such  that 

MA)  =  ((Co)ai,(Ci)0l,...,(C*_2)0l,  (Ck-t)0t  ). 

v - v - ' 

By  the  assumption  on  a  given  above,  we  can  extend  fit  to  7  =  fi\a'2  G  L°°(k),  which 
clearly  satisfies  equation  (4). 

Case  2:  In  a,  either  (a)  the  interface  transitions  in  Ik-2  U  Ik  fire  infinitely  often,  or  (b)  the 
token  counts  of  the  interface  places  of  Ck- 1  ©  Ck  change  infinitely  many  times. 

Such  a  can  be  written  as  a  =  <j\  Xt02i2  . . .,  where  Xt,X2,...  are  the  interface  transi¬ 
tions  of  Ck-t  ©  Ck  and  the  transitions  in  Cjt-i  ©  Ck  whose  firings  change  the  token 
counts  of  the  interface  places  of  Ck- 1  ©  Ck-  For  each  (■  >  1,  let  at  —  0\x \(T2x2  ■  ■  .o&i 
be  the  prefix  of  a  ending  with  x /.  By  Lemma  6,  for  each  l  there  exists  fit  G  L{k )  such 
that 

h(fit)  =  ((C0)ar(Ct)Qf,...,(Ck- 2>at,  (Ck-t)0t  ). 

S  v - ' 

[Cjfc  —  l®Ck]aj 

Since  [Ck-\  ©C*]a,  =  [Ct-i]/),,  fit  can  be  written  as  fit  =  r1y1r2 y2  •  •  .r(yt,  where  if  xt 
is  an  interface  transition  of  Ck-t  ©Ct  then  y,  is  the  corresponding  interface  transition 
of  Ck- 1  of  Rk,  and  otherwise  Xi  and  y;  respectively  change  the  token  counts  of  the 
interface  places  of  Ck-t  (B  Ck  and  Ck-t  in  the  same  way.  Clearly,  we  may  assume  that 
for  each  i  >  1 ,  the  internal  transitions  of  Co  ©  •  •  •  ©  Ck-2  fire  in  exactly  the  same  way 
in  a,  and  r,.  Let  M,  be  the  marking  of  Rk+l  reached  right  after  the  firing  of  x,,  and 
Ni  the  marking  of  Rk  reached  right  after  the  firing  of  y,-.  Call  a  tuple  of  the  form 

(x,*,  Afi,  yi ,  Ni,  ij+i,  Mi+t ) 

a  pattern.  Note  that  by  Lemma  2  and  the  assumption  that  R 2  is  structurally  bounded, 
both  Rk  and  Rk+X  have  only  finitely  many  distinct  reachable  markings.  Thus  if  i  is 
sufficiently  large,  then  all  patterns  that  appear  in  at>  and  fi?  for  any  i'  >  l  appear  in 
at  and  fit.  Then  for  oy+i  =  0\X\  . . . otxtot+txt+t ,  there  exists  a  pattern 

(xj ,  Mj ,  yj ,  Nj ,  Xj+t ,  Mj+t )  —  Alt,  yii  N 1,  x^j ,  Mt+\ ), 

j  <  £,  that  appears  in  at  and  fit .  This  means  that  in  Rk,  we  can  fire  rJ+ty:+t  after 
fit  and  obtain  a  sequence  fi'  =  /J/rJ+iy;+j  G  L(k).  Clearly 

W  =  ((C0)O/+I,(C1)am,...,{Cfc_2)a<+i,  {Ck-t)p.  ) 

^  V—.  y 

[t'l[_l©C|t]a2+1 
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and  Rk  is  at  marking  N]+ 1  after  fi' .  Thus  we  can  continue  to  extend  13'  in  a  similar 
manner  and  obtain  7  €  Lu(k)  such  that 

A(7)  =  ((Co)OI(C,)a . (Cw)al  <<?*_,),  )• 

' — ^ — - 


This  completes  the  proof  of  the  existence  of  7  satisfying  equation  (4). 

Since  7  obtained  above  may  not  be  legal  at  Ck- 1,  we  convert  it  into  a  legal  sequence 
/ 3  €  C(k).  By  R 2  ~  Rk  and  Lemma  1,  for  each  prefix  7'  of  7  there  exists  7"  e  L(2)  such 
that 

Mt")  =  (  <C0>y,  ,(Ck-i)y). 

[Co©--ffiCk_2]7i 

Thus  by  Lemma  2,  the  structural  boundedness  of  R2,  and  an  argument  similar  to  the  one 
given  above  for  a,  we  can  show  that  there  exists  6  6  L°°( 2)  such  that 


h(6)  =  (  (CoU 

[Cc>®"*®C|5— ahr 

Then,  since  =  [C/b-i  ©  C*]a,  by  Lemma  3  there  exists  €  6  L°°(3)  such  that 


h(e)  =  ((Co)s,(Ck-i)a,(Ck)a). 

Then  since  R2  %  R3  and  both  ( Ck-\)a  and  (C*)  are  legal,  there  exists  C  6  L°°(2)  such 
that 

KO  =  ((Coh,  (Ck-x)<  ) 

[C*_i©C*]0 

where  (Ck-\)(  is  legal.  Then  by  Lemma  3,  there  exists  (3  6  L°°(k )  such  that 

[C*_i©C*]o 

Since  all  elements  of  h{(3)  including  (Ck-i)^  are  legal,  (3  €  £(fc).  This  completes  the  proof 
of  the  existence  of  (3  6  C(k)  satisfying  equation  (3).  □ 

Proof  of  Theorem  1  By  Lemmas  4  and  7,  if  R2  is  structurally  bounded,  R2  «  R3  and 
R2  ~  Rk  for  some  k  >  3,  then  R2  ~  Rk+1.  Thus  the  theorem  follows  by  induction.  □ 


A  typical  argument  for  proving  the  correctness  of  Rk  is  to  show  that 

^  C  {{(Ci))a\a  €  £(*)}  C  5' 

holds  forallO<t<&-l,  where  S  and  S'  are  sets  of  firing  sequences  of  C  describing  certain 
properties  of  C,.  (We  may  have  to  use  slightly  different  sets  for  t  =  0,  since  the  initial 
marking  of  Co  can  be  different  from  those  of  the  other  copies  of  C.)  For  example,  S'  may 
consist  of  the  sequences  in  which  every  firing  of  a  transition  representing  “request  critical 
section”  is  followed  by  a  firing  of  another  transition  representing  “enter  critical  section,” 
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to  ensure  that  every  request  of  C,  to  enter  its  critical  section  will  eventually  be  granted. 
The  use  of  some  nonempty  5  eliminates  the  case  when  C,  satisfies  the  condition  imposed 
by  S'  by  having,  for  example,  {{(C,))Ja  €  C{k)}  =  0.  If  R2  is  structurally  bounded, 
R 2  ss  R 3  and  R2  is  correct  in  the  above  sense,  then  by  Theorem  1  and  the  fact  that 
{(C,)Ja  €  £(2)}  =  {(Cj)alQ  €  C(k)}  impUes  {((C, )»  €  C( 2)}  =  {<(C,>»  €  C(k)}, 
we  can  conclude  that  Rk  is  correct  for  any  k  >  2.  In  principle,  if  R2  and  R 3  are  finite 
state  systems,  then  the  correctness  of  R2  and  whether  or  not  R2  «  R3  can  be  tested 
automatically  using  a  conventional  theorem  prover.3  As  is  seen  from  the  discussion  given 
in  Appendix  A,  whether  or  not  R2  is  structurally  bounded  can  be  tested  by  solving  a  set 
of  linear  inequalities. 

Note  that  t^e  proof  method  described  above  allows  us  to  verify  only  “local”  properties  of 
the  copies  of  C  in  Rh .  To  prove  certain  “global”  properties  of  Rk,  such  as  mutual  exclusion 
(“only  one  copy  of  C  in  Rk  can  enter  a  critical  section  at  a  time”),  we  need  a  result  such 
as  the  following. 

For  a  firing  sequence  a  €  C(k)  and  each  0  <  j  <  m,  where  to  is  the  number  of  interface 
transitions  of  C  on  each  side,  let  Pj(ot)  be  the  sequence  obtained  from  a  by  deleting  all 
transitions  except  the  j-th  interface  transitions  t0  ],  t\j, . . . , 

Theorem  2  //  Rk  ~  Rk+l  for  some  k  >  2  and  Pj(oc)  is  either  (to,jti,j  ■••tk-\,j)w  or  its 
prefix  for  any  a  6  C(k),  then  pj(at)  is  either  (fojfij  ■  •  or  its  prefix  for  any 

a  €  C{k  +  1). 

Proof  Suppose  that  there  exists  a  6  C(k  -F  1)  such  that  Pj(a)  is  not  (tojtij  . . .  tk-i,jtkj)w 
or  its  prefix.  Then  in  a,  either  (a)  some  component  C,,  i  /  0,  fires  before  fires 

for  the  first  time,  or  (b)  some  component  C,  fires  tij  twice  without  firing  between  the 

two  firings  of  /, j.  (Here,  subscript  i  -  1  is  computed  mod  ( k  +  1).)  Since  Rk  ~  Rk+1,  there 
exists  fi  G  C(k)  such  that  (a)  (C,)a  =  {Cf)0  if  i  ^  0  and  (b)  (C,)a  =  ( C0)p  if  i  =  0.  Then 
Pj(fi)  is  not  (to,jt\j  . .  .tk-ij)u  or  its  prefix.  This  is  a  contradiction.  □ 

Suppose  that  a  firing  of  j  represents  the  transfer  of  a  “token”  (or  “privilege”)  from 
C,  to  Cj+i-  The  condition  that  pfia)  is  either  (to,jhj . .  .tk~ij)u  or  its  prefix  for  any 
ot  6  C{k)  implies  that  there  exists  a  unique  token  in  Rk  and  initially  the  token  resides  in 
Cq.  Theorems  1  and  2  state  that  if  R2  is  structurally  bounded,  R2  ss  R3  and  there  exists 
a  unique  token  in  R2,  then  there  exists  a  unique  token  in  Rk  for  any  k  >  2.  We  illustrate 
this  proof  method  in  Section  4. 

4  Token-Passing  Mutual  Exclusion 

Mutual  exclusion  is  the  problem  of  ensuring  that  at  most  one  process  among  a  set  of  k 
processes  will  be  in  its  “critical  section”  at  a  time.  One  way  to  assure  mutual  exclusion  is 
to  let  the  processes  form  a  ring  and  circulate  a  unique  “privilege  token”  so  that  only  the 
process  that  has  the  token  can  enter  its  critical  section  [13]  [16].  Such  a  token-passing  mutual 

JWe  regard  the  reachability  graph  of  a  bounded  Petri  net  with  fairness  as  the  state  transition  diagram  of 
an  ui-automaton  that  accepts  both  finite  and  infinite  sequences  [15],  and  then  use  known  decision  algorithms 
for  such  automata.  Although  the  containment  problem  for  u>-automata  is  PSPACE-complete  [18]  and  thus 
the  decision  algorithms  can  be  highly  inefficient,  it  may  still  be  feasible  to  use  this  method  for  small  rings 
such  as  R 2  and  R3 .  Details  will  be  reported  elsewhere. 
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Figure  6:  Component  C  for  token-passing  mutual  exclusion. 
Table  1:  Places  and  transitions  of  C. 


Pi 

idle 

waiting 

have  received  the  privilege  token 

P4 

critical  section 

P5 

ready  to  send  the  privilege  token 

U4 

receive  the  privilege  token 

Vl 

request  the  critical  section 

v2 

enter  the  critical  section 

V3 

leave  the  critical  section 

V4 

pass  the  privilege  token 

W I 

send  the  privilege  token 

exclusion  algorithm  is  used  in  [25]  to  illustrate  the  use  of  an  invariant-based  induction 
theorem.  In  this  section,  we  model  each  process  of  a  ring  as  a  component  and  use  our 
induction  theorem  (Theorem  1)  to  prove  that  the  given  algorithm  is  correct  regardless  of 
the  size  of  the  ring.  We  follow  the  general  strategy  outlined  at  the  end  of  Section  3. 

In  this  section,  “C”  refers  to  the  component  shown  in  Figure  6  that  models  a  process  in 
such  a  ring.  Table  1  describes  the  events  and  conditions  represented  by  the  transitions  and 
places.  Transition  u4  is  the  only  left  interface  transition,  and  the  is  only  right  interface 
transition.  The  initial  marking  of  ring  Rk  is  given  as  Mk  =  ( M ,  M', . . . ,  M'),  where  M  is  for 
Co  and  M1  for  C\, . .  M  is  given  by  M(pi)  =  1,  M(p2)  =  0,  M(p3)  =  1,  M(p4)  =  0 

and  M(p$)  =  0,  which  we  write  (10100).  Using  the  same  notation,  we  define  M'  =  (10000). 
Thus  initially,  all  components  are  idling  and  Co  has  the  unique  privilege  token  in  place 
Po,3-  (Po,3  is  the  copy  of  p3  in  Co.)  We  take  Tk  =  0,  and  thus  fk  =  f(Tk )  =  true.  So  a 
component  can  make  either  infinitely  many  requests  or  only  a  finite  number  of  requests. 

Component  C  fires  v\  when  it  requests  the  critical  section  and  then  waits  (in  p2)  until 
the  privilege  token  arrives  in  place  p3  by  a  firing  of  u\ .  Then  it  enters  and  leaves  the  critical 
section  by  firing  v2  and  i>3,  respectively.  This  brings  the  privilege  token  to  p5,  and  a  firing 
of  w4  sends  it  to  the  next  component.  If  the  privilege  token  arrives  in  p3  when  C  is  idling, 
then  it  can  be  sent  to  ps  by  a  firing  of  V4.  Note  that  progress  assures  that  the  privilege 
token  eventually  reaches  p5. 
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Lemma  8  R 2  is  structurally  bounded. 

Proof  The  proof  is  found  in  Appendix  A.  □ 

The  reachability  graph  Gk  of  Rk  is  a  directed  graph  in  which  the  vertices  represent  the 
markings  of  Rk  reachable  from  the  initial  marking  Mk  and  there  is  an  arc  with  label  t 
from  a  vertex  v  to  vertex  v'  if  the  marking  represented  by  v'  is  reachable  from  the  marking 
represented  by  v  when  transition  t  fires.  For  convenience,  we  identify  the  markings  of  Rk  and 
the  vertices  of  Gk  that  represent  them.  (So  “vertex  Mk"  refers  to  the  vertex  representing 
marking  Mk.)  Any  firing  sequence  in  Rk  corresponds  to  a  path  in  Gk  in  a  natural  way. 

Lemma  9  /£2  ~  ft3. 

Proof  Since  the  set  Tk  of  transitions  that  must  be  fired  fairly  is  empty  for  all  k  >  2,  we 
only  need  to  show  that  R2  ~  R3.  By  Lemma  3,  it  suffices  to  show  that 

1.  {[Cola  I  a  €  £( 2)}  =  {[C0]a  |  a  e  £(3)},  and 

2.  {[C^  |  a  €  £(2)}  =  {[Ct]a  |  a  e  £(3)}  for  i  =  1,2. 

In  the  following,  we  give  an  outline  of  the  proof  of  {[Ci]Q  |  a  6  £(2)}  =  {[Ci]a  |  a  6  £(3)} 
and  leave  the  remaining  cases  to  the  reader.  Since  T2  =  0  and  every  vertex  of  G2  (not 
shown)  has  at  least  one  outgoing  arc,  £( 2)  consists  of  the  infinite  sequences  represented 
by  the  infinite  paths  in  G 2  starting  from  vertex  M2 .  By  examining  G2,  we  can  show  that 
in  any  infinite  path  in  G 2  starting  from  vertex  M2,  arcs  labeled  t01  and  arcs  labeled  tltj 
occur  infinitely  often  and  alternately,  starting  with  an  arc  labeled  <0.i  -  (<o,i  and  ti  \  are 
the  copies  of  U\  and  w\  in  Ci,  respectively.)  So  if  we  let  [[ Ca  ©  ■  •  ■  ©  Cfc]]a  denote  the 
sequence  obtained  from  [Ca  ®  •  •  •  ©  Cb]a  by  deleting  the  firability  vectors,  then  we  have 

{[[Cj]]a|a  6  £( 2)}  =  {(uj wi )w}.  The  firability  vectors  of  Cj  have  the  form  *  where  i 

and  y  are  the  token  counts  of  places  po,s  and  pi)5,  respectively,  and  it  is  easy  to  insert  them 
into  (uiioi)u'  to  obtain 

{[C.UIq  €  £(2)>  =  {(  °  J  »,  l  “  “O'"} 

Using  an  analogous  argument  for  R3,  we  can  show  that 

{[c,u«  e  cm  =  {(  °  J  «,  l  °  »,)“}. 

Thus 

{[C,]a|o  €  £(2)}  =  {[Ci]a\a  e  £(3)}. 

□ 

A  firing  sequence  satisfies  formula  t  D  Ot'  (“if  t  then  eventually  t'")  if  every  occurrence 
of  t  is  followed  by  an  occurrence  of  t' . 
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Lemma  10  (Liveness  of  R 2)  A  process  that  requests  its  critical  section  eventually  enters 
it,  i.e.,  for  i  =  0, 1, 

5,  C  {((C,)»  €  £(2)}  C  5' 

for  some  nonempty  S\  and  S'  =  {a  €  Tuja  satisfies  iq  D  OU2},  where  T  is  the  set  of 
transitions  of  C. 

Proof  We  prove  the  claim  for  i  =  1  and  leave  the  case  i  =  0  to  the  reader.  The  first  “C”  is 
trivial.  We  can  show  that  every  maximal  simple  path  in  G 2  starting  with  an  arc  labeled  iqi 
contains  an  arc  labeled  («i,i  and  U12  are  the  copies  of  U!  and  v?  in  C\ ,  respectively.) 
This  proves  the  second  “C.”  □ 

In  R2,  a  firing  of  to,i  (the  copy  of  in  C\)  and  a  firing  of  titl  (the  copy  of  toi  in  Cj) 
represent  the  transfer  of  the  privilege  token,  and  Co  and  C\  can  be  in  its  critical  section 
only  while  it  has  the  privilege  token.  The  following  lemma  is  based  on  this  observation.  For 
a  €  £(2),  p(«)  denotes  the  sequence  obtained  from  a  by  deleting  all  transitions  except  the 
interface  transitions  *o,i  and  t\t j. 

Lemma  11  (Safeness  of  R2)  Co  and  C\  cannot  be  in  their  critical  sections  at  the  same 
time,  i.e.,  p(a)  =  (*o,i*i,i)“  for  any  a  €  £(2). 

Proof  The  lemma  is  immediate  from  {[[Ci]]a|a  €  £(2)}  =  {(nin^)1"}  given  in  the  proof  of 
Lemma  9.  □ 

Finally,  we  have  the  following  theorem. 

Theorem  3  (Correctness  of  Rk )  For  any  k  >  2,  in  ring  Rk 

1.  a  process  that  requests  its  critical  section  eventually  enters  it,  and 

2.  no  two  processes  can  be  in  their  critical  sections  at  the  same  time. 


Proof  The  theorem  follows  from  Theorems  1,  2  and  Lemmas  8,  9,  10  and  11.  □ 

5  A  Simple  Producer-Consumers  System 

Consider  a  ring  consisting  of  one  “producer”  and  many  identical  “consumers.”  The  producer 
generates  a  product  that  is  circulated  in  the  ring.  A  consumer  receiving  a  product  can  either 
pass  it  (without  consuming  it)  to  its  right  neighbor,  or  “consume”  it  and  send  “garbage” 
to  the  right  neighbor.  Garbage  received  by  a  consumer  is  always  passed  to  to  its  right 
neighbor.  The  producer  can  generate  a  new  product  only  when  it  receives  garbage  from  its 
left  neighbor.  We  assume  that  the  producer  is  allowed  to  pass  or  consume  a  product  that 
has  been  returned.  If  the  producer  consumes  a  product,  it  then  sends  garbage  to  its  right 
neighbor.  We  assume  that  at  any  time,  there  can  be  only  one  object  (a  product  or  garbage) 
in  the  ring. 

In  this  section,  “C”  refers  to  the  component  shown  in  Figure  7  that  models  a  process 
in  such  a  ring.  We  assume  that  in  Rk  consisting  of  k  components,  Co  is  the  producer  and 
C,,...,C*_,  are  the  consumers.  Table  2  describes  the  events  and  conditions  represented 
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Figure  7:  Component  C  for  a  producer-consumers  system. 


Table  2:  Places  and  transitions  of  C. 


Pi 

have  received  a  product 

P2 

ready  to  send  a  product 

P3 

have  received  garbage 

Pa 

ready  to  send  garbage 

Ps 

one  token  for  producer,  empty  tor  consumer 

«i 

receive  a  product 

u2 

receive  garbage 

vx 

pass  a  product 

v2 

consume  a  product 

V3 

pass  garbage 

v4 

generate  a  product  (producer  only) 

W\ 

send  a  product 

w2 

send  garbage 
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Figure  8:  Structure  of  G 2 . 


by  the  transitions  and  places.  Transition  u\  and  u2  are  the  left  interface  transitions,  and 
w\  and  uj2  are  the  right  interface  transitions.  The  initial  marking  of  ring  Rk  is  given  as 
Mk  =  (M,  M' , . . .,  Af'),  where  M  =  (00101)  is  for  producer  Co  and  M'  =  (00000)  is  for 
consumers  C\,..  .,Ck- 1-  (This  notation  was  introduced  in  Section  4.)  Note  that  transition 
V4  (“generate  a  product”)  can  fire  only  in  Co,  and  initially  Co  has  garbage  in  place  p0> 3.  (po,3 
is  the  copy  of  po  in  Co-)  We  take  Tk  to  be  the  set  of  all  transitions  of  Rk.  This  means  that 
no  component  is  allowed  to  always  pass  or  always  consume  a  product  from  some  time  on, 
and  the  producer  must  generate  a  product  infinitely  often  if  garbage  is  returned  infinitely 
often.  The  system  is  considered  to  be  correct  if  all  components  consume  a  product  infinitely 
many  times. 

Lemma  12  R2  is  structurally  bounded. 

Proof  The  proof  is  found  in  Appendix  A.  □ 

Lemma  13  R2  «  R3. 

Proof  By  Lemma  3,  it  suffices  to  show  that 

!•  {[Cb]a  |  o  €  £-,o(2)}  =  {[Co]a  |  a  €  £-.o(3)},  and 
2.  {[Cj ]„  |  a  6  £-u( 2)}  =  {[Ci]Q  |  a  €  £.t(3)}  for  i  =  1, 2. 

In  the  following,  we  give  an  outline  of  the  proof  of 

{[Ci}a  |  a  €  £.i(2)}  =  {[Cj]*  |  a  6  £^(3)}  (5) 

and  leave  the  remaining  cases  to  the  reader.  As  we  did  in  the  proof  of  Lemma  9,  let  us 
first  characterize  the  set  {[[Ci]]Q  |  a  €  £-,1  (2)} .  Figure  8  shows  the  structure  of  G 2  and  the 
labels  of  its  arcs,  where  vertex  Xi  represents  the  initial  marking  A/2.  Since  every  vertex 
of  G 2  has  at  least  one  outgoing  arc,  no  finite  path  in  G2  represents  a  firing  sequence  in 
£-,i(2).  This,  together  with  the  structure  of  G2  and  the  fact  that  f0,i»  *o,2>  *1,1  and  t1>2 
are  the  copies  of  «i,  u2,  wi  and  to2  in  C 1,  respectively,  shows  that  {[[Ci]]a|a  €  £-,i(2)} 
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is  a  subset  of  {uiuq,  u\ u>2,  u^u’j}^.  Furthermore,  any  infinite  path  from  A’i  representing  a 
firing  sequence  in  £^j(2)  must  visit  vertex  A'i  infinitely  often  (by  the  firings  of  1 12),  since 
otherwise,  is  visited  infinitely  often  but  X  2  is  not,  and  thus  the  fairness  condition  at 
Co  (that  t>o,2  niust  be  fired  infinitely  often  if  it  becomes  firable  infinitely  often)  is  violated. 
Since  X\  is  visited  infinitely  often,  again  by  the  fairness  condition  on  v0  3  and  t>o,4  of  Co, 
both  <o,i  and  <0,2  must  fire  infinitely  often.  Also,  the  fairness  condition  on  w0,i  and  i>0,2  of  Co 
requires  that  if  X5  is  visited  infinitely  often  (by  the  firings  of  <1,1 ),  then  both  w0,i  and  v0,2 
must  fire  infinitely  often.  Thus  {([Ci]]Q  |  a  €  £^i(2)}  C  U,  where  U  is  the  set  of  sequences 
in  {uiv>i,U\W2,U2W2}UJ  such  that  (a)  both  iu2Ui  and  W2U2  appear  infinitely  often,  and  (b) 
if  w  1  appears  infinitely  often  then  both  uqui  and  uqu2  appear  infinitely  often.  Conversely, 
we  can  easily  show  that  for  any  sequence  a  €  U ,  there  exists  some  r  6  £^i(2)  that  is 
legal  at  Co  such  that  [[C^Jt  =  o.  Therefore  {[[Ci]]a|a  €  £^i(2)}  =  U.  We  then  obtain 
{[Cijo  |  o  6  £-,i(2)}  by  inserting,  into  the  sequences  in  U ,  the  firability  vectors  of  Ci  having 
the  form 

x-i 

*3 
x4 

where  ij, . .  .,x4  are  the  token  counts  of  places  po,2,  Po,4,  Pi, 2  and  P14,  respectively.  Since  (a) 
at  most  one  of  po,2>  Po,4,  P  1,2  and  pXt4  can  have  a  token  at  a  time  and  (b)  710,2,  Po,4,  P\,2  and 
P14  can  lose  a  token  only  when  <0,i,  ^0,2,  <1,1  and  <i,2  fire,  respectively,  {[Ci]Q  |  a  6  £-,i(2)} 
is  the  set  of  sequences  obtained  from  the  sequences  in  U  by  replacing  u\,  u2,  w\  and  w2  by 

1  r  0 1 r  0 1  r  0 1 r  0 1  roiro' 

0  01  00  ,00  .  ,  . 

0  «t,  0  0  U2'  0  l  W|  and  0  0  W2'  TesPectlve]y-  Us,ns 

OJ  [  0  J  L  0  J  L  0  J  [  0  J  [  0  J  |_  i  _ 

an  analogous  argument  on  C3  that  has  12  vertices,  we  can  show  that  {[Ci]0  |  a  €  £^i(3)} 
coincides  with  {[Ci]a  |  a  G  £-,i(2)}  obtained  above.  □ 

A  firing  sequence  satisfies  formula  □<><  (“infinitely  often  <”)  if  t  occurs  infinitely  often 
in  it. 

Lemma  14  (Liveness  of  R 2)  Both  Co  and  C\  consume  a  product  infinitely  often,  i.e.,  for 
j  =  0, 1, 

5,-  C  {«C,)»  €  £(2)}  C  S' 

for  some  nonempty  Si  and  S'  =  (a  €  Tw|a  satisfies  DO^},  where  T  is  the  set  of  transitions 
ofC. 

Proof  By  examining  G 2  and  using  the  fairness  condition  on  Co  and  Cj,  we  can  show  that 
both  wo, 2  and  wi,2  must  fire  infinitely  often,  where  vo,2  and  t>i,2  are  the  copies  of  v2  (“consume 
a  product”)  in  Co  and  Cj,  respectively.  The  argument  is  basically  similar  to  that  used  in 
the  proof  of  Lemma  13,  and  is  thus  omitted.  □ 

Finally,  we  have  the  following  theorem. 

Theorem  4  (Correctness  of  Rk )  For  any  k  >  2,  in  ring  Rk  each  component  consumes 
a  product  infinitely  often. 

Proof  The  theorem  follows  from  Theorem  1  and  Lemmas  12,  13  and  14.  □ 
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6  Concluding  Remarks 


We  have  introduced  the  concept  of  similarity  between  two  process  rings  of  fair  Petri  nets, 
and  proved  a  structural  indiction  theorem  (Theorem  1)  that  can  be  used  to  prove  the 
correctness  of  a  ring  of  any  large  size  from  the  correctness  of  a  ring  having  only  a  few 
components.  The  theorem  has  been  applied  to  the  verification  problem  of  two  examples, 
token-passing  mutual  exclusion  and  a  simple  producer-consumers  system. 

The  main  condition  needed  for  applying  the  theorem  is  the  strong  similarity  between  R2 
and  R3,  i.e.,  R2  R3.  It  can  happen,  however,  that  for  some  k  >  3,  all  rings  R* ,  (  >  k,  are 
mutually  similar  but  R2  ss  R3  does  not  hold.  Such  rings  may  still  admit  induction  similar 
to  that  of  Theorem  1.  We  are  currently  working  on  a  more  general  version  of  the  theorem 
that  can  be  applied  to  such  cases.  Some  results  in  this  direction  can  be  found  in  [9]. 

As  was  pointed  out  in  Section  3,  testing  the  strong  similarity  of  two  rings  using  an 
automatic  verifier  can  be  time  consuming.  It  is  desirable  that  we  find  simple  sufficient 
conditions  for  two  rings  to  be  strongly  similar.  Another  direction  of  research  is  to  apply 
the  ideas  developed  for  rings  in  this  paper  to  other  network  topologies,  such  as  stars,  trees, 
chains,  meshes  and  completely  connected  graphs.  It  is  an  interesting  problem  to  develop 
analogous  induction  methods  for  such  networks. 


Appendix  A 

For  a  Petri  net  N  =  (P,T,  F)  such  that  P  =  {pi, . .  .,pn}  and  T  =  {<i, . . tm},  the  incidence 
matrix  of  iV  is  an  m  x  n  matrix  A  =  [atJ]  such  that  atJ  =  F(/,,p_,)  -  F(pj,t,).  Note  that 
a,,j  is  the  change  in  the  token  count  of  place  pj  when  transition  <,  fires  once.  It  is  known 
that  N  is  structurally  bounded  iff  there  exists  an  n-dimensional  vector  y  of  positive  integers 
such  that  Ay  <  0  [14].  (y  is  called  an  S-invariant  if  Ay  =  0.)  The  condition  Ay  <  0  assures 
that  the  weighted  sum  of  token  counts  of  a  marking  never  increases  after  a  firing  of  any 
transition,  where  the  y-th  element  of  y  is  the  weight  assigned  to  p3. 

Proof  of  Lemma  2  Assume  that  C  has  n  places,  s  internal  transitions  and  m  interface 
transitions  on  each  side.  For  any  A:  >  2,  since  the  components  Co,  ■  ■  .,Ck-\  have  the  same 
structure  and  only  the  interface  transitions  between  two  components  can  be  connected  to 
the  places  in  both,  the  incidence  matrix  A*  for  Rk  can  be  written  as  a  A(s|m)  x  kn  matrix 


'  B 

0 

0  • 

0  ' 

D 

E 

0  • 

0 

0 

B 

0  -• 

0 

0 

D 

E  ••• 

0 

0 

0 

0  ••• 

B 

.  E 

0 

0  ••• 

D  . 

where  B  is  an  s  X  n  matrix  describing  the  connections  among  the  n  places  and  s  interned 
transitions  of  a  component,  D  and  E  are  m  x  n  matrices  such  that  ( D  E)  describes  the 
connections  among  the  2 n  places  of  two  consecutive  components  and  m  interface  transitions 
between  them,  and  0  is  a  zero  matrix  of  appropriate  dimensions.  Since  R2  is  structurally 
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bounded,  there  exists  a  2n-dimensional  vector  of  positive  integers 

>J2 


a 

b 


where  a  and  b  are  n-dimensionai  vectors,  such  that 

2  2/2  = 


B  0 
D  E 
0  B 
E  D 


a 

b 


<  0. 


Then  Ba  <  0,  Da  +  Eb  <  0,  B b  <  0,  and  E a  +  D b  <  0,  and  thus 


a  +  b 
a  +  b 


<  0. 


Then  it  is  easy  to  show  that  the  Arn-dimensional  vector 


Vk  - 


a  +  b 
a  +  b 


satisfies 

So  Rk  is  structurally  bounded.  □ 


a  +  b 
Akl Ik  <  0. 


Proof  of  Lemma  8  Choose  y  that  assigns  2  topo,4  and  p\  4  (the  copies  of  p4  in  Co  and  Cj, 
respectively),  and  1  to  all  other  places.  Then  y  satisfies  A22/  =  0,  where  A2  is  the  incidence 
matrix  of  R2.  □ 

Proof  of  Lemma  12  Choose  y  that  assigns  1  to  all  places.  Then  y  satisfies  A2y  -  0, 
where  A2  is  the  incidence  matrix  of  R2.  □ 
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